Gossamer Forum
Home : General : Internet Technologies :

LDAP authentication via pam_ldap

Quote Reply
LDAP authentication via pam_ldap
I'm researching methods to store encrypted passwords in LDAP. Currently I've found that the pam_ldap module is avb to enable you to store & change passwords. I now want to create an API to the LDAP server through which a user can (1) Set (2) Retrieve passwords. I've already created an LDAP API which serves as a wrapper around the core C LDAP API i.e. ldap_bind, ldap_add etc. Would it be psb now to add onto this API and create a wrapper with functions named e.g. LDAP_Change_Pwd, LDAP_Retrieve_Pwd? Also, how do I store encrypted passwords in LDAP? Thanks
Quote Reply
Re: [jayden_t] LDAP authentication via pam_ldap In reply to
Found something associated to my question: The LDAP API has a function called ldappasswd that
is used to modify an LDAP attribute.
DESCRIPTION ldappasswd is a tool to set the password of an LDAP user. ldappasswd uses the LDAPv3 Password Modify (RFC 3062) extended operation. ldappasswd sets the password of associated with the user [or an option- ally specified user]. If the new password is not specified on the com- mand line and the user doesn't enable prompting, the server will be asked to generate a password for the user. ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.

This function can be used to modify an LDAP user's password. To authenticate securely using an SASL mechanism abind function can be used:

int ldap_sasl_bind(LDAP *ld, const char *dn, const char *mechanism,
struct berval *cred, LDAPControl *sctrls[],
LDAPControl *cctrls[], int *msgidp);

But I still haven't found an LDAP function which allows a user who is stored in LDAP to authenticate using an
encrypted password that is one of that user's attributes. Also I'm searching for a way to modify this password on the server keeping in mind that this is not a password to bind to the LDAP server but an actual attribute stored in a node in the server directory tree. These processes must involve some encryption so that users can only modify information relative to their node in the LDAP binary tree.